Face it, software simply rots. It's organic. It's
unstable. You can't trust it after it's been "on the net"
too long. Unfortunately, you can't just keep it in the refrigerator
like last night's leftovers. It's not that the bits lose their
"flavor" overnight; the ones are still ones and the zeros
are still zeros! But as surely as night follows day, the
popular, non-trivial software you bought last month is lessreliable
and more subject to attack today. Here are a few of the
reasons:

New applications assume your PC functions
"as designed" and trip over device firmware or driver
bugs that slipped through testing and were not visible when using
older applications (see my IBM Aptiva story below);

new work habits (e.g. email with embedded HTML,
using Web Servers as document repositories, software handling
meeting scheduling and other secretarial tasks, etc.) place new
demands on old systems;

new "security flaws" are discovered and
publicized, increasing the risk your system will be compromised.

Consider my Christmas present. Last June I
ordered Linux Mandrake "Power Pack 6.0", paying about $50
for the CDs. (Heck, I didn't have RoadRunner then. That's
why I paid so much for "free" software.) Then my wife
gave me Linux Mandrake 6.5 for Christmas having paid $29 at the local
Barns and Noble! I started to take it back when I noticed
virtually every "product" in the package had gone up by at
least one minor version number during the 6 months the original box
had been sitting on my shelf! So much for the
"stability" of Linux, even though it is, in essence, based
on a 25 year old design!

Consider Windows 98: I have 6 PCs in the house
and 2 more away with kids at college. Five of these 8 run
Windows 98, updated last summer to "Second Edition".
The Millennium edition is due out this spring, but rather than
waiting, I run Windows Update fairly regularly on the PCs that my wife
and I use most often.

I just checked the Windows Update history on the
OFFICEPC machine. This is a K6-2 with 128 Meg serving as the
home LAN print server, my wife's PC / graphics terminal, and local web
server for Front Page 2000 development. In addition to the
printer, it has a scanner, video capture card, graphics tablet and
voice recognition software. It's on all the time as a
print server and I can't remember the last time it crashed.
Windows Update history goes back to July, 1998. Since that time,
nearly 100 update installations were performed, some two dozen being
security critical and the rest being feature enhancements or add-on
installations.

Am I crazy to so blindly trust Microsoft?
Well, I DON'T trust the corporation! I trust that developers at
MS are just like the developers that worked with me in AT&T: they
all want to run with the latest software and personally know the
developers responsible for each update. Hence the most stable
and best supported version of any OS is the one the developers are
using themselves! That's why I'm so satisfied using Windows
Update!

Consider my oldest daughter's IBM Aptiva E2N.
I bought this 18 months ago for her to go to college. It came
home at Christmas for Dad to fix. Her brother had installed a
collection of "jukebox" and MP3 players, shortly after which
the CD-ROM disappeared from the configuration. Before looking
into the hardware, I used Windows Update to install all missing
critical and recommended updates. Still no joy. Then I
noticed the "IBM Internet Update" wizard in the start
list. This is IBM's automated update tool for performing the
hardware-specific updates that Windows Update doesn't handle.
The wizard analyzed the PC and checked with the IBM support server; it
reported 16 updates had been released since we bought the PC.
These included two BIOS firmware updates, a CD-ROM firmware update,
and updates of drivers for the IDE controller, the CD-ROM and the
modem. I let the wizard work it's magic and the problem with the
CD-ROM was solved. Even firmware rots!

As a final example, consider the web support for the
McAfee virus scan software.
They too are offering automated "update" of scanner and
signature files. Trend Micro's House
Call doesn't visibly need a download. The scan engine runs
as an ActiveX control downloaded and digitally certified when you
click "Scan Now" on their website. Keeping your PC
safe is more and more a matter of keeping it up-to-date.

The pathology of modern software/firmware rot
could fill books, but the fundamental cause is our inability to write
perfect software. As mentioned in
last week's article, only trivial software is likely to be
flawless; all other claims are likely lies or the result of
ignorance. The easy answer is to continually watch for software
updates as suggested. But....

Caution! The security policy for many large
corporations with centralized and bureaucratic IT support often
forbids users to update their company PCs. These are good people
supporting a historically correct policy. Their motivation is to
prevent you from introducing software they have not tested, approved,
licensed and are prepared to support. If you company requires
you to use Windows 95 because "Windows 98 isn't stable
enough yet," you likely work for such a corporation.
So kids! Don't do this at work without checking your corporate
parents first!

I believe this old "castle,
moat and drawbridge" policy no longer fits the needs of the
e-World user. It isolates the user in a world cut-off from new
features, new tools, free support forums, free updates, etc. But
most of all, it ensures that the user is running software without the
reliability enhancements and security fixes necessary for safe
operation. The IT managers believe they are avoiding trouble by
"freezing" applications, systems, networks, etc. I
believe they are locking themselves into the middle ages. In the
short term, they may save money. In the long term, they are
ensuring their support staff is backward looking and out of touch with
new technology, their employees are inefficient, all their software
includes old security flaws which attackers know well how to exploit,
etc. Most of all, they're ensuring themselves of rising costs as
their technology becomes harder and harder to support, followed by a
massive conversion and retraining cost when the pressure for
technology upgrade becomes irresistible.

Their security depends upon traditional firewalls,
increasingly poked-trough with holes as employees try to get access to
outside services they learned about at home. At the same time,
study after study shows that the serious damage is usually done by the
disgruntled or criminal employee behind the firewall.
Frankly, isolationism is dead. Military tactics abandoned fixed
defensive positions early in WW-II and switched to a dynamic defense
strategy. It's long past time for a much more dynamic approach
to information security.

The alternative is to focus more on holding users,
vendors, employees and corporations accountable for what they do via
the web. We currently try to prevent people from violating the
rules, often interfering with much that is good and seldom blocking
the serious attacker. That type of mandatory control is
necessary in wartime where we can't hold the enemy
"accountable". If the type of e-World we need to
develop, people are justly held accountable for what they do and thus
regulate themselves. This is the basis of a successful free
society. A future InfoSec article will begin to focus on what it
would take to provide just accountability without destroying personal
privacy.

Meanwhile, stay tuned for Thursday's article on Software
Development. In this world where software "product"
rots on the shelf, is the software industry in need of a new business
model? As always, comments welcome.

This site is not
related to the Microsoft Corporation in any way. Windows
and the Windows logo are trademarks of the Microsoft
Corporation. ActiveWindows is an independent site. The information
and sources here are obtained from series of hard work & research.